Monday, 28 March 2011

Because we British have decided that we don't need to have aircraft carriers, because we're not bombing anywhere in particular at the moment.. apart from Libya.. and maybe a few other countries that we noticed along the way, then we've put the ex-flagship Ark Royal up on an auction site.

What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.

Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.

Thursday, 24 March 2011

Another fake job offer in this very long running scam, the job involved is actually in support of organised crime and may involve such things as money laundering and fraudulent parcel reshipping, in addition to being the "front" person for various fraudulent activities.. and the first person the police will drag in when it all goes wrong.

Date: 24 March 2011 04:34
Subject: We need employees in Europe

Good day!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our corporation has a great scope of business activities.
-real property
-business support
-company dissolution
-private firm service
-etc

There is a vacancy of a Regional manager in Europe:
-compansation 2.600 euro + bonus
-bonus-job
- no fixed office hours

If you have an intention to cooperate with our company, please send your contact information on our e-mail: Josiah@west-ugroup.net
Name
Surname
Counrty
City
E-mail
Sell phone number

Remark! Applicants with the permission to work in Netherlands & Portugal only!

Please inform your name and phone number so that we can find you for further communication.

Monday, 21 March 2011

Intermedia Top SRL is a Romanian host operating a network in the 95.64.8.0/24 range. This range appears to contain nothing but malicious sites, including malware distribution, fake news sites (designed to help sell fake products), and fake anti-virus and utility applications.

Update 2/4/11: you should also block 95.64.9.0/24 which is allocated to the same people.

AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.

Google says:

Safe BrowsingDiagnostic page for AS49873 (TELECOMPO)

What happened when Google visited sites hosted on this network?

Of the 640 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, absolutiovbf2n.info/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2011-03-19, and the last time suspicious content was found was on 2011-03-19.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 17 site(s) on this network, including, for example, zelwwu4kk.info/, tawdry4d.info/, gru12.info/, that appeared to function as intermediaries for the infection of 33 other site(s) including, for example, nowatermark.net/, itanil.com/, itcomputerservers.com/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 611 site(s), including, for example, sasae.co.cc/, slumbes.tk/, clemowceer.cz.cc/, that infected 1143 other site(s), including, for example, iwilltellyouhow.com/, saatihajj.com/, icabbies.org/.

Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.

Tuesday, 8 March 2011

You know when you are dealing with a dodgy outfit when they robo-call your mobile from a supressed number with a recorded message that starts "Please do not hangup" and then blabbers on about debt management, inviting you to press "2" to talk to an adviser.

The dodginess continued when the "adviser" at the other end could not confirm the name of the company he worked for (he claimed not to know!) except for a name of "Debt Advice UK" and didn't give any address other than "Sussex". There is no company in the UK of this name, and since I'm TPS registered then they should not even have been calling.

The hidden phone number, blatant disregard of TPS and refusal to give a company name or address definitely has all the hallmarks of something highly unethical.

If anyone has details of these scumbags, please feel free to add a comment!

Monday, 7 March 2011

I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.

Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.

SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.

As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.

So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):

As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.